- Card Data Security and Social Engineering
By Riaan Viljoen: Information Security Specialist, Capricorn Group
We live in times where fraudsters look like neighbours and sound like friends. When it comes to private- and payment card information, make sure you understand how Social Engineering can be used to compromise your financial security.
Fraudsters are masters in Social Engineering and know how to engage people in a way that creates misguided trust. It involves manipulating individuals via various channels such as phone calls, email, SMS and social media to divulge confidential and / or card information.
Some social engineering scams involve sending emails that seem to come from a legitimate source, i.e. your bank, requesting confidential information, like card numbers, passwords etc. (often as part of a required 'update' exercise) This is called phishing. Bank Windhoek, nor any other financial institution, will ever request information or prompt a response in this way. Pay close attention to the sender's email address. It is likely a falsification of a known email address or domain which might include subtle spelling errors such as email@example.com or firstname.lastname@example.org
Spear-phishing is similar to phishing, however, the attack is targeted at a specific company or person / group, and has a more personal feel to it. A mail would seem to be coming from a company head or department manager, requesting users to urgently click on a link or open an attachment. (Again, pay close attention to the sender email address and spelling). Such attacks often first acquire personal information via company web sites or social media platforms such as Facebook, to create a sense of familiarity with the intended victim.
Vishing is the voice equivalent of phishing, and is the act of fraudsters engaging victims in a friendly and helpful conversation, claiming to be from your bank and asking assistance with a mobile app upgrade, or security enhancement. These calls will also have a sense of urgency attached to them. I.e. “Your account might be compromised if you do not upgrade right now." Fraudsters will pretend to know staff or inside information from your bank. This is the quickest way victims are lulled into trusting the authority and mandate of the caller. Victims are requested to enter information on the mobile app, to share or forward information or to respond to a text message. Never obey instructions from a random phone call. Don't ever share the OTP (one time pin) you receive on SMS in such a conversation with the caller. These PINS are triggered only when a transaction is taking place on your account. If you did not initiate a transaction, do not help to complete a transaction! As far as your card information is concerned, and only if you initiated the call, only ever share the first 6 and last 4 digits of the card number.
SMShing involves requesting victims to follow prompts on SMS or social media. This can happen independently or as part of Vishing attacks. Again, no legitimate contact from any bank will request confidential information in such a manner. If you receive a suspicious or unexpected call from someone claiming to be from your bank, especially after hours, get a name and instruct the caller that you will phone them back on the official number from your bank. Obtain this number yourself.
Reminding oneself that fraud is a continuing science and being aware of the various methods applied to obtain your hard earned money, you will be able to identify a fraudster easier and protect yourself against their onslaught.